def flash_nor(self, nor):
self.boot_ibss()
print 'Sending iBSS payload to flash NOR.'
MAX_SHELLCODE_LENGTH = 128
payload = open('bin/ibss-flash-nor-shellcode.bin', 'rb').read()
assert len(payload) <= MAX_SHELLCODE_LENGTH
payload += '\x00' * (MAX_SHELLCODE_LENGTH - len(payload)) + nor
device = recovery.acquire_device()
assert 'CPID:8920' in device.serial_number
recovery.send_data(device, payload)
try:
print 'Sending run command.'
recovery.send_command(device, 'run')
except usb.core.USBError:
# OK
pass
#print 'Caught USBError; should still work.'
recovery.release_device(device)
print 'If screen is not red, NOR was flashed successfully and device will reboot.'
advanced = ['exit-recovery-loop', 'enable-uart']
opts, args = getopt.getopt(sys.argv[1:], 'c:f:', advanced)
except getopt.GetoptError:
print 'ERROR: Invalid arguments provided.'
print_help()
sys.exit(2)
if len(opts) == 0:
print_help()
sys.exit(2)
for opt, arg in opts:
if opt == '-c':
device = recovery.acquire_device()
try:
recovery.send_command(device, arg)
except usb.core.USBError:
print 'WARNING: Caught USBError after running command.'
recovery.release_device(device)
if opt == '-f':
try:
with open(arg, 'rb') as f:
data = f.read()
except IOError:
print 'ERROR: Could not read file:', arg
sys.exit(1)
device = recovery.acquire_device()
recovery.send_data(device, data)
recovery.release_device(device)
aesInput = f.read(BLOCKS_CNT * 16)
assert (len(aesInput) == BLOCKS_CNT * 16)
print(binascii.hexlify(aesInput))
print("\n\n")
lastblock = bytes([0x00] * 16)
aesOutput = bytes()
curblockindex = 0
while curblockindex < BLOCKS_CNT:
input = aesInput[16 * curblockindex:16 * (3 + curblockindex)]
cmd = "d " + binascii.hexlify(input).decode()
print(cmd) #DEBUG
recovery.send_command(dev, cmd)
rsp = dev.ctrl_transfer(0xC0, 0, 0, 0, 0x600, 30000)[0:-1]
for i in range(16):
rsp[i] ^= lastblock[i]
print(binascii.hexlify(rsp))
aesOutput += bytes(rsp)
lastblock = input[-16:]
curblockindex += int(len(rsp) / (16 * 2))
# exit(1)
print("lol--")
print(aesOutput)
def boot_ibss(self):
print('Sending iBSS.'
if self.config.cpid != '8920':
print('ERROR: Boot iBSS is currently only supported on iPhone 3GS.')
sys.exit(1)
help1 = 'Download iPhone2,1_4.3.5_8L1_Restore.ipsw and use the following command to extract iBSS:'
help2 = 'unzip -p iPhone2,1_4.3.5_8L1_Restore.ipsw Firmware/dfu/iBSS.n88ap.RELEASE.dfu > n88ap-iBSS-4.3.5.img3'
try:
f = open('n88ap-iBSS-4.3.5.img3', 'rb')
data = f.read()
f.close()
except:
print('ERROR: n88ap-iBSS-4.3.5.img3 is missing.')
print (help1)
print (help2)
sys.exit(1)
if len(data) == 0:
print('ERROR: n88ap-iBSS-4.3.5.img3 exists, but is empty (size: 0 bytes).')
print (help1)
print (help2)
sys.exit(1)
if hashlib.sha256(data).hexdigest() != 'b47816105ce97ef02637ec113acdefcdee32336a11e04eda0a6f4fc5e6617e61':
print('ERROR: n88ap-iBSS-4.3.5.img3 exists, but is from the wrong IPSW or corrupted.')
print help1
print help2
sys.exit(1)
iBSS = image3.Image3(data)
decryptediBSS = iBSS.newImage3(decrypted=True)
n88ap_iBSS_435_patches = [
(0x14954, 'run\x00'), # patch 'reset' command string to 'run'
(0x17654, struct.pack('<I', 0x41000001)), # patch 'reset' command handler to LOAD_ADDRESS + 1
]
patchediBSS = decryptediBSS[:64] + utilities.apply_patches(decryptediBSS[64:], n88ap_iBSS_435_patches)
device = dfu.acquire_device()
assert self.identifier == device.serial_number
dfu.reset_counters(device)
dfu.request_image_validation(device)
dfu.release_device(device)
time.sleep(0.5)
device = dfu.acquire_device()
assert self.identifier == device.serial_number
data = dfu.send_data(device, patchediBSS)
dfu.request_image_validation(device)
dfu.release_device(device)
time.sleep(0.5)
print('Waiting for iBSS to enter Recovery Mode.')
device = recovery.acquire_device()
recovery.release_device(device)
def flash_nor(self, nor):
self.boot_ibss()
print('Sending iBSS payload to flash NOR.')
MAX_SHELLCODE_LENGTH = 128
payload = open('bin/ibss-flash-nor-shellcode.bin', 'rb').read()
assert len(payload) <= MAX_SHELLCODE_LENGTH
payload += '\x00' * (MAX_SHELLCODE_LENGTH - len(payload)) + nor
device = recovery.acquire_device()
assert 'CPID:8920' in device.serial_number
recovery.send_data(device, payload)
try:
print('Sending run command.'
recovery.send_command(device, 'run')
except usb.core.USBError:
# OK
pass
#print('Caught USBError; should still work.'
recovery.release_device(device)
print('If screen is not red, NOR was flashed successfully and device will reboot.')
def decrypt_keybag(self, keybag):
KEYBAG_LENGTH = 48
assert len(keybag) == KEYBAG_LENGTH
KEYBAG_FILENAME = 'aes-keys/S5L%s-firmware' % self.config.cpid
try:
f = open(KEYBAG_FILENAME, 'rb')
data = f.read()
f.close()
except IOError:
data = str()
assert len(data) % 2 * KEYBAG_LENGTH == 0
for i in range(0, len(data), 2 * KEYBAG_LENGTH):
if keybag == data[i:i+KEYBAG_LENGTH]:
return data[i+KEYBAG_LENGTH:i+2*KEYBAG_LENGTH]
device = PwnedDFUDevice()
decrypted_keybag = device.aes(keybag, AES_DECRYPT, AES_GID_KEY)
f = open(KEYBAG_FILENAME, 'a')
f.write(keybag + decrypted_keybag)
f.close()
return decrypted_keybag